Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

RIPE NCC’s last /8• We
do things differently!• Ensures IPv4 access for all members - 16000+ /22s in a /8 - members can get one /22 (=1024 addresses) - must already hold IPv6 - must qualify for allocation• /16 set aside for unforeseen situations - if unused, will be distributed• No PI 19

Getting an IPv6 allocation• To
qualify, an organisation must: - Be an LIR - Have a plan for making assignments within two years• Minimum allocation size /32• Announcement as a single preﬁx recommended 31

RIPE Policy Proposal 2011-04• Extension
of the Minimum Size for IPv6 Initial Allocation - Proposes initial allocation up to a /29 - For example, for small LIRs to deploy IPv6 via 6RD (RFC 5969) DER DISCUSSION UN• Proposal currently in Review Phase - The RIPE NCC is working on impact analysis 32

What does the first IPv6
allocation cost? - for all - pending General Meeting decision or: - for approximately 97% of the LIRs - more points, but not higher category! 33

Make an addressing plan (I)•
Number of hosts is irrelevant• Multiple /48s per pop can be used - separate blocks for infrastructure and customers - document address needs for allocation criteria• /64 for all subnets - autoconﬁguration works - renumbering easier - less typo errors because of simplicity 36

Make an addressing plan (II)•
Use one /64 block (per site) for loopbacks - One /128 per device - One /64 contains enough /128s for 18.446.744.073.709.551.616 devices 37

Point-to-Point Connections• How much space
for point-to-point connections? - RFC4291: Interface IDs are required to be /64 - RFC3627: Use of /127 between routers considered harmful - RFC6547: RFC3627 to Historic Status - RFC6164: Using /127 on Inter-Router links• Be safe: reserve a /64, assign a /127 per point-to-point connection 39

Customer assignments• Give your customers
enough addresses - Up to a /48• For more addresses, send in request form - Alternatively, make a sub-allocation• Every assignment must now be registered in the RIPE database 40

Customers And Their /48• Customers
have no idea how to handle 65536 subnets!• Provide them with information – https://www.ripe.net/lir-services/training/material/IPv6- for-LIRs-Training-Course/IPv6_addr_plan4.pdf 43

IPv6 Address Management• Your Excel
sheet might not scale – There are 65.536 /48s in a /32 – There are 65.536 /64s in a /48 – There are 16.777.216 /56s in a /32• Find a suitable IPAM solution 44

IPv6 Ripeness • Rating system:
- One star if the LIR has an IPv6 allocation - Additional stars if: - IPv6 Preﬁx is announced on router - A route6 object is in the RIPE Database - Reverse DNS is set up - A list of all 4 star LIRs: http://ripeness.ripe.net/ 52

Scenario 4: PI End User,
not multihomed ISP 1 ISP 2 x• Part of LIR’s AS number - does not want to / can not run BGP - still wants “portable” addresses 63

How to get an AS
Number• Assignment requirements - Address space - Multihoming - One AS Number per network• For LIR itself• For End User - Sponsoring LIR requests it for End User - Direct Assignment User requests it for themselves 64

Publishing routing policy in IRR•
Required by some Transit Providers & IXPs - they use it for preﬁx-based ﬁltering• Allows for automated generation of preﬁx ﬁlters - and router conﬁguration commands, based on RR• Contributes to routing security - preﬁx ﬁltering based on IRR registered routes prevents accidental leaks and route hijacking• Good housekeeping 73

RIPE RR is part of
the RIPE Database• route[6] object creation is responsibility of LIR - every time you receive a new allocation, do create a route or route6 object• route and route6 objects represent routed preﬁx - address space being announced by an AS number 74

Limitations of the Routing Registry•
Many registries exist, operated by different parties: – Not all of them mirror each other – Do you trust the information they provide?• The IRR system is far from complete• Resulting ﬁlters are hard to maintain and can take a lot of router memory 79

The RIPE NCC involvement in
RPKI• The authority who is the holder of an Internet Number Resource in our region – IPv4 and IPv6 address ranges – Autonomous System Numbers• Information is kept in the registry• Accuracy and completeness are key 80

Digital resource certificates• Issue digital
certiﬁcates along with the registration of Internet Resources• Two main purposes: – Make the registry more robust – Making Internet Routing more secure• Validation is the added value 81

Using certificates• Certiﬁcation is a
free, opt-in service – Your choice to request a certiﬁcate – Linked to your membership – Renewed every 12 months• Certiﬁcate does not list any identity information• Digital proof you are the holder of a resource 82

The PKI system• The RIRs
hold a self-signed root certiﬁcate for all the resources that they have in the registry – They are the trust anchor for the system• That root certiﬁcate is used to sign a certiﬁcate that lists your resources• You can issue child certiﬁcates for those resources to your customers – When making assignments or sub allocations 83

Which resources are certified?• Provider
Aggregatable (PA) IP addresses• Provider Independent (PI) addresses marked as “Infrastructure”• Other resources will be added over time: – PI addresses for which we have a contract – ERX resources 85

Route Origination Authorisation (ROA)• Next
to the preﬁx and the ASN which is allowed to announce it, the ROA contains: –A minimum preﬁx length –A maximum preﬁx length – An expiry date• Multiple ROAs can exist for the same preﬁx• ROAs can overlap 86

Publication and validation• ROAs are
published in the same repositories as the certiﬁcates and their keys• You can download them and use software to verify all the cryptographic signatures are valid – Was this really the owner of the preﬁx?• You will end up with a list of preﬁxes and the ASN that is expected to originate them – And you can be sure the information comes from the holder of the resources 87

ROA Validation• You can download
all the certiﬁcates, public keys and ROAs which form the RPKI• Software running on your own machine can retrieve and then verify the information – Cryptographic tools can check all the signatures• The result is a list of all valid combinations of ASN and preﬁx, the “validated cache” 89

Reasons for a ROA to
be invalid• The start date is in the future – Actually this is ﬂagged as an error• The end date is in the past – It is expired and the ROA will be ignored• The signing certiﬁcate or key pair has expired or has been revoked• It does not validate back to a conﬁgured trust anchor 90

The Decision Process• When you
receive a BGP announcement from one of your neighbors you can compare this to the validated cache• There are three possible outcomes: – Unknown: there is no covering ROA for this preﬁx – Valid: a ROA matching the preﬁx and ASN is found – Invalid: There is a ROA but it does not match the ASN or the preﬁx length 91

Modifying the Validated Cache• The
RIPE NCC Validator allows you to manually override the validation process• Adding an ignore ﬁlter will ignore all ROAs for a given preﬁx – The end result is the validation state will be “unknown”• Creating a whitelist entry for a preﬁx and ASN will locally create a valid ROA – The end result is the validation state becomes “valid” 92

The Decision is Yours• The
Validator is a tool which can help you making informed decisions about routing• Using it properly can enhance the security and stability of the Internet• It is your network and you make the ﬁnal decision 93

Public Testbeds • A few
people allow access to routers that run RPKI and allow you to have a look at it • RIPE NCC has a Cisco: – Telnet to rpki-rtr.ripe.net – User: ripe, no password • Eurotransit has a Juniper: – Telnet to 193.34.50.25 or 193.34.50.26 – Username: rpki, password: testbed(http://www.ripe.net/lir-services/resource-management/certiﬁcation/tools-and-resources) 94

Roadmap• Support for non-hosted is
still under development by the RIPE NCC – Expected release will be third quarter 2012• We can give you access to beta test – Mail certiﬁcation@ripe.net if you are interested• More information will be published on the certiﬁcation website – http://www.ripe.net/certiﬁcation 95